General

Why do I need cyber liability insurance if my practice is proactive about Internet security and safeguarding ePHI?

There is no "fail safe" cyber security per se. The level of sophistication and persistence of hackers today is remarkable. They are constantly probing for any weakness in systems or people. Even well defended organizations can experience a data breach from employees who run malicious code or attempt to gain unauthorized access to a network. It’s all about likelihood, vulnerabilities, and impact. Data breaches can arise from many sources, including:

hackers gaining access through a malicious malware or phishing attack;

lost or stolen unencrypted mobile storage devices;

employee negligence or malfeasance; and

lack of internal policies and/or system failures.

Health care records contain sensitive and valuable information for medical identity theft. A cyber criminal can get $50 or more for a complete medical record. Two common objections we hear from medical practices are "A data breach won’t happen to us. We’re too small" or "Our data is 100% secure." Yet, you can have the best cyber security and still have a data breach. For example, an employee inadvertently gave out his password, as described in The Current State of CyberCrime 2014.

What about the cost of cyber liability insurance?

Cyber insurance plays a vital role in financing and managing cyber risks. Simply completing the insurance application can be a "mini risk assessment." Doing so can lead to a better understanding of your cyber security risks. Data breaches and their potential financial impact are often under-appreciated.

Direct costs of a data breach can include legal expenses for breach notifications or to defend third-party lawsuits; IT forensics for data restoration; public relations; credit monitoring services; call center support; and potential regulatory fines and penalties. The indirect costs can include a loss of revenue; loss of patient good will and reputation (i.e., from adverse media reports); and the loss of employee and business productivity.

For health care providers, most medical professional liability policies include some level of cyber liability coverage. The limits of liability are typically in the range of $25,000 to $100,000 per claim and in the aggregate. However, in certain data breach incidents, the costs of a breach can quickly exceed these underlying limits. Therefore, it’s very important for any organization who suspects a data breach to call their professional liability or cyber liability carrier immediately to report the incident. Each breach requires a specific response and their are required reporting timelines.

Because the total cost of a data breach can be significant, we recommend organizations maintain high limits of liability ($1 million or above per claim and in the aggregate). This is important because if the organization's underlying cyber liability limits are exhausted to pay the costs of a data breach, all further investigation, defense, and remediation expenses will fall to the organization. Because an Office of Civil Rights (OCR) investigation can linger, the organization may not know for several years if any fines or penalties will be imposed.

Can you give an example of a cyber claim?

TMLT policyholders have reported more than 430 breach incidents since we added cyber liability coverage to our policies in December 2011. One policyholder received an investigation letter from the OCR because the practice’s office computers, including an unencrypted laptop, had been stolen. Office staff were unable to access patient electronic records during appointments and (allegedly) failed to notify patients of the breach of their protected health information (PHI). The OCR also requested a matrix of other documentation, including a copy of the policyholder’s most recent security risk assessment. Their TMLT cyber liability coverage paid for their breach-related expenses.

What does a cyber risk insurance policy typically cover?

There is no uniformity of cyber liability coverage forms. But the majority of cyber liability insurance policies include coverage for both first-party and third-party losses, although some coverage forms may lack important protection, such as for cyber extortion/ransomware or regulatory fines and penalties.

First-party coverage typically includes coverage to restore or recover the policyholder’s lost or damaged computer programs and data; for breach response services for patient notifications and credit monitoring expenses; for crisis management and public/media relations; for cyber extortion and cyber terrorism; and for cyber crime/financial fraud. Some cyber liability policies also include first-party coverage for the loss of revenue and extra expenses due to a business interruption.

Third-party coverage typically includes coverage to defend and indemnify liability claims related to security and privacy breaches resulting in the disclosure of confidential information; for regulatory investigations and fines and penalties; and for claims related to media liability alleging personal injury or invasion of privacy. Some policies also include coverage for errors and omissions.

What is excluded from a cyber liability policy?

Common exclusions include no coverage for unencrypted data on mobile devices; bodily injury; criminal acts (there’s usually an exception for innocent parties); or, in some policies, the insured’s failure to maintain the security of its network in accordance with industry standards, internal policies, and/or regulations.

Some providers also provided fee-based technology services to other practices. Losses arising from this type of professional service are typically not covered by cyber liability policies. If the practice provides technology services to others such as hosting, managing or administering someone else’s computer systems and data or designing, programming, installing, servicing, and supporting others’ IT infrastructure—they need to also purchase technology errors and omissions coverage.

How is the cost of a cyber liability insurance policy typically calculated?

In most cases, the rating factors are the number of personally identifiable records stored electronically and in paper files; the estimated annual gross revenue; or the number of physicians, as well as the limits of liability and any optional endorsements desired by the insured.

Key to the acceptability and affordability of coverage is the "security posture" of the organization. If the organization answers "No" to essential underwriting questions such as: "Do you enforce a security policy that must be followed by all employees, contractors, or any other person with access to your network?" or "Does your security and privacy policy include mandatory training for all employees?" or "Is all data in transit or stored on mobile devices encrypted and remote access to your network authenticated?" then coverage may be declined or a higher premium charged.

What should we consider before buying cyber risk insurance?

Cyber insurance is not a substitute for a good cyber security program, as not all losses can be covered by insurance. The benefits of an effective cyber risk management program and disaster recovery plan include prevention of cyber losses; preservation of electronic data; continuity of business with minimal loss of productivity; fulfillment of service commitments to patients; compliance with state and federal privacy and security laws; and protection of the practice’s reputation.

Many smaller organizations who handle electronic protected health information (ePHI) mistakenly believe that HIPAA's required Security Risk Analysis is optional for them. They may also believe that installing an EHR fulfills the risk analysis requirement for meaningful use, or that the EHR vendor "took care of privacy and security." These assumptions are incorrect. All covered entities subject to the HIPAA Security Rule must conduct a risk assessment of their administrative, physical, and technical safeguards, as well as their compliance with HIPAA's privacy rule and Breach Notification Rule, including up-to-date policies and procedures. In most cases, this includes the following steps:

establish an enterprise-wide security culture;

encrypt data on mobile and storage devices;

back up data in real-time and store it offline;

use firewalls;

immediately install software updates/patches;

use strong passwords and change them regularly;

use two-factor authentication;

limit network and physical access to sensitive data;

obtain business associate agreements from all service providers who have access to the practice’s data; and

select your service providers carefully — and assess their data security to ensure they are HIPAA compliant.

Lost or stolen laptops and mobile storage devices containing the ePHI of patients is a recurring problem. ePHI is being stored more frequently on portable devices, and there will be more breaches involving these devices. Mitigating that risk by encrypting the data would significantly reduce the likelihood of breach claims. Indeed, encryption must become a higher priority throughout the health care industry, and it will also help an organization maintain insurability and perhaps obtain a lower price for cyber insurance.

Complacency is not a risk management strategy. An Incident Response Plan to address cyber risks is good for the business side of your organization. Clients expect their sensitive personal information to be secure; it protects the organization's reputation; and it avoids downtime and the potential loss of income and extra expenses. Guarding against cyber threats requires a multi-layered, proactive risk management strategy that is focused on identifying, assessing, and responding to potential risks. And that requires leadership to actively promote policies and procedures, best practices, risk controls, accountability, and privacy training.

Today there are many external resources available to assist your organization with its IT systems, risk assessments, and privacy training. TMLT offers cyber security tools and resources to help policyholders and non-policyholders prepare for and to mitigate breach incidents. Organizations often need external assistance with their cyber risk management, as cyber attacks continue to grow in sophistication and frequency.

Why is contract due diligence so important?

Contractual risk transfer is common today and is increasingly imposed upon health care entities that handle sensitive personal information. The need for careful contract review is vital—particularly in the area of liability assumed under contract, in the form of a written hold-harmless or indemnity agreement.

Attempts to contractually transfer all or part of the financial consequences of a loss to another party (who is not an insurer) occurs in a myriad of contracts, including website privacy statements, company privacy policies, and third party services contracts (e.g., with cloud service providers), and Merchant Service Agreements.

It is imperative that organizations also review these contracts for any insurance requirements. Signing contracts without due consideration of whether you have applicable cyber liability or professional liability coverage could put your organization at financial risk.

Insurance is a form of risk financing and depending upon the coverage provisions, it may (or may not) provide the funding of some liabilities/indemnities assumed under contract. If there are any specified insurance requirements, you should try to obtain coverage that "dovetails" with the indemnity obligations, if possible.